Earlier this week, Meta was fined €405 million ($403 million USD) by the Irish Data Protection Commission (DPC), Ireland’s supervisory authority for upholding the General Data Protection Regulation (GDPR), for letting users between 13 and 17 operate business accounts on Instagram.
Under Instagram’s sign-up process, business accounts have publicly exposed phone numbers and email addresses, leaving the personal data of minors exposed online.
The fine is the second largest under the GDPR, following $888 million charged to Amazon in July 2021, and comes shortly after the DPC fined the organization $16.9 million in March 2022.
While most enterprises don’t process the information of minors, the DPC’s decision highlights that data protection regulations are being interpreted much more broadly by regulators to the point where a poorly optimized sign-up process with loose privacy settings can trigger serious legal repercussions.
At a high level, the Meta decision highlights that the regulatory burdens on collecting and processing data are expanding to the point where companies have less margin for error when collecting and processing data, from entering the data to analyzing it.
Lack of transparency or blunders at any stage of this process can lead to devastating fines — not just under the GDPR, but also emerging regulations like the California Consumer Privacy Act (CCPA), which recently handed out a fine of $1.2 million to online retailer Sephora.
Due to fast movement in the regulatory landscape, enterprises are forced to implement new controls at speed to protect customer data.
Research shows that 49% of compliance professionals report that regulatory change has had an adverse impact on their compliance function’s ability to perform its role.
In a regulatory landscape that’s continually evolving, organizations need to develop much more optimized data protection practices and can’t afford to rely on consent forms and privacy policies to guarantee compliance.
“Society cares deeply about how their data is used by software services, in particular the personal information of children.” said Mohit Tiwari, cofounder and CEO at Symmetry Systems.
“Individuals may not have the knowledge or, in most cases, time to sufficiently inform complex privacy settings that aren’t set by default. Hence, we have pushed for stronger compliance protections. This case is yet another example which demonstrates that companies are now being held responsible for securing personal information at point of data entry,” Tiwari said.
Modern data protection regulations not only expect enterprises to protect confidential information, but also to offer users transparency over how their data is shared and processed.
Tiwari explained that under regulatory frameworks like the GDPR, organizations need to be transparent about how they collect customer information, maintaining complete awareness of where it’s stored, how it can be accessed, how it is used and how it is kept secure.
As a consequence, regular auditing and privacy impact assessments are critical tools that organizations have at their disposal to assess their data security posture, and should be applied continuously to ensure compliance long term.
(Copyright: VentureBeat What Meta's GDPR fine can teach CISOs about data protection | VentureBeat)